Method for secure storage of sensitive data in a silicon chip integrated system storage in particular a smart card and integrated system therefor

ABSTRACT

The invention concerns a method for secure storage of a piece of so-called sensitive data, for example an encryption key, in a memory (M) of an embedded microchip system, particularly a smart card (CP). The memory (M) comprises two physically distinct storage devices ( 1, 2 ), for example a permanent memory of the “ROM” type ( 1 ), and a second, re-programmable memory of the “EEPROM” type ( 2 ). The piece of sensitive data is divided into at least two parts (d, d′), in a given logical configuration, each of these parts being stored in one of the distinct storage devices ( 1, 2 ). An additional piece of verification data, a checksum or hash data, can also be stored in the first storage device ( 1 ), at the same time as the first sensitive data part (d).  
     The invention also concerns an embedded microchip system, particularly a smart card (CP).

[0001] The invention concerns a method for secure storage of sensitivedata in a memory of an embedded microchip system.

[0002] It applies more particularly to a smart card.

[0003] The invention also relates to an embedded system for implementingthe method.

[0004] In the context of the invention, the term “embedded system”refers to various systems or devices having in common the fact of usinga microchip comprising data storage and data processing means, generallyconstituted by a microprocessor or a microcontroller. Such an embeddedsystem can be constituted, in particular, by a smart card.

[0005] The term “sensitive” should be understood in its most generalsense. It concerns all sorts of secret or at least confidential data,including encryption algorithms, secret encryption keys, identificationdata or information of a secret nature, etc., stored in one or moretypes of memories with which the smart cards are equipped. This type ofdata will hereinafter be referred to generically as “secret.”

[0006] The invention applies more particularly, though not exclusively,to the storage of secret keys stored in order to be used for the securepre-initialization of smart cards. In fact, it is well known thatfunctions related to security are devolved to smart cards. Here again,the term security should be understood in a broad sense. This termactually covers various concepts: confidentiality, authentication, etc.

[0007] Hereinafter, in order to illustrate the concepts without in anylimiting its scope, we will consider the preferred application of theinvention, unless otherwise mentioned.

[0008] Normally, in the prior art, the secrets contained in smart cardsare stored linearly in the same storage area. In particular, the secretsare stored in permanent read-only memories (“ROM”) or semi-permanent,i.e. electrically erasable programmable read-only memories, for exampleof the “EEPROM” type. The memories of microchips are vulnerable tohackers, and the attacks seen are becoming increasingly numerous andsophisticated.

[0009] In particular, the “dumping” (or copying) of the “ROM” memory isa constant concern for smart cards.

[0010] Memories of the “EEPROM” type, which traditionally containso-called sensitive data, are subject to most of the attacks known atthe present time.

[0011] The object of the invention is to eliminate the drawbacks of thedevices of the prior art, some of which have just been mentioned.

[0012] The object of the invention is to provide a method for securestorage of sensitive data in the memory of a smart card, and moregenerally in the memory of an embedded microchip system.

[0013] It also concerns an embedded microchip system for implementingthe method. The microchip comprises data storage and data processingmeans, generally under the control of an operating system (or “OS”).

[0014] For this reason, according to an advantageous characteristic, thesecret is physically and logically “split” into several storage meanswith which the microchip is equipped.

[0015] In one advantageous embodiment, the memory of said microchip isdivided into distinct parts, the first being constituted by a “ROM” typememory, more generally a permanent ROM, the second part beingconstituted by a memory of the “EEPROM” type, more generally asemi-permanent EEPROM.

[0016] According to a first variant of the method of the invention, thesame secret is “split” between two or more physically distinct memoryparts.

[0017] In particular, in the preferred field of application of theinvention, the method makes it possible to authenticate a smart card inthe pre-initialization phase, when the “EEPROM” type memory part isstill empty of any data other than that programmed by an entity thatwill be called a “chip manufacturer.”

[0018] In the context of the invention, the term “pre-initialization” ismeant in a general sense. It particularly relates to the manufacturingphase of a traditional smart card, or to the phase preceding theinitialization phase of a so-called open smart card.

[0019] According to another advantageous embodiment, the majority of thedata constituting the secret is stored in “ROM.” Only a small part ofthis data is stored in “EEPROM.”

[0020] According to this additional characteristic of the invention, thevast majority of a secret key is contained in the “ROM” type memorypart. The chip manufacturer need only write a much smaller part of thesecret key into the “EEPROM” type memory part in order for theaforementioned operating system to be able to use the secret key as awhole. Because of its particular storage, it should be noted that thesecret key is sent in two parts to two distinct divisions of themanufacturer, which makes it possible to reduce the risks of fraudduring the secret transfer.

[0021] This particular storage makes it possible to minimize the numberof bytes probe-programmed by the manufacturer and consequently has theadvantage of reducing manufacturing costs. In fact, to guarantee a highdegree of security, the keys actually used are very long. It is possibleto facilitate the storage of these very long keys, normally carried outin EEPROM, by remoting the largest parts into ROM.

[0022] According to a second variant of embodiment, a first secret isstored in a first part of the memory and one or more other secrets,directly or indirectly derived from the first secret, is (are) stored inat least one other part of a physically distinct memory. This or theseadditional secret(s) can advantageously be obtained by encryption.

[0023] For example, in a typical field of application of the methodaccording to the invention, a (symmetric) encryption key is present in afirst storage area of a smart card, of the “ROM” type, during itsmasking. A piece of confidential information is stored in a secondstorage area, of the “EEPROM” type, during the utilization of the smartcard. This information is encrypted (for example using the so-calledTriple DES algorithm) with the aforementioned encryption key present inthe ROM area. This method is very advantageous. In fact, in addition toprotection against the “dumping” of the memory, it is clear that theinformation is also protected when it is written into the smart card.Even the entity that “writes” the key does not know it.

[0024] From the above, it follows that, no matter which embodiments orvariants of embodiments are considered, a successful fraudulent attackon one part of the memory cannot lead to the full knowledge of thesecret. In reality, as long as the distribution of the elements of thesecret among the distinct parts of the memory is done judiciously,partial knowledge of the secret acquired in a fraudulent manner willnever make it possible to subsequently retrieve the secret, for example,by attempting a decryption using appropriate mathematical operationsthat would make it possible to deduce the full secret from theaforementioned partial knowledge. This judicious distribution itself iswithin the capability of one skilled in the art. The attack will then beconsidered to have finally failed.

[0025] Moreover, as will be shown below in greater detail, it ispossible to associate the method of the invention with provisions forverification, authentication and/or encryption, which are intrinsicallyknown, but for which the degree of security obtained is reinforced as aresult of the provisions specific to the invention.

[0026] Hence, the main subject of the invention is a method for securestorage of a piece of so-called sensitive data in a memory of anembedded microchip system comprising at least two physically distinctstorage means, characterized in that said piece of sensitive data isdivided into at least two parts, in a given logical configuration, andin that each of said divided parts is stored in one of said physicallydistinct storage means.

[0027] Another subject of the invention is an embedded microchip systemfor implementing this method.

[0028] According to one particular embodiment, the method ischaracterized in that, said piece of sensitive data being divided intofirst (d) and second (d′) parts, respectively stored in first (1) andsecond (2) physically distinct storage means, an operation called achecksum is performed on said sensitive data, concomitant with thestorage of said second part (d), the result of which is in the form of apiece of informational data, in that said informational data is storedin said first storage means (1), and in that it includes a reading ofsaid informational data, an additional checksum operation on saidsensitive data, and a comparison between said informational data readand the result of said additional checksum operation with each use ofsaid sensitive data, in order to certify its integrity.

[0029] According to one particular embodiment, the method ischaracterized in that, said piece of sensitive data being divided intofirst (d) and second (d′) parts, respectively stored in first (1) andsecond (2) physically distinct storage means, an operation concomitantwith the storage of said second part (d), called a checksum, isperformed on said sensitive data, the result of which is in the form ofa piece of informational data, in that said informational data is storedin said first storage means (1), and in that it includes a reading ofsaid informational data, an additional checksum operation on saidsensitive data, and a comparison between said informational data readand the result of said additional checksum operation with each use ofsaid sensitive data, in order to certify its integrity.

[0030] The invention will now be described in greater detail byreferring to the attached drawings, in which:

[0031]FIG. 1 schematically illustrates an exemplary configuration of thememory of a smart card according to one aspect of the invention, for anapplication of the method to the storage of a secret key; and

[0032]FIG. 2 schematically illustrates a variant of embodiment of theconfiguration of the memory of a smart card of FIG. 1.

[0033] As indicated in the preamble of the present specification,hereinafter we will consider the context of the preferred application ofthe invention, i.e., in the case of the securing of thepre-initialization phase of a smart card.

[0034] More precisely, we will illustrate the method according to theinvention in its application to the storage of a symmetrical secret keythat will hereinafter be referenced d. This key d can enable a smartcard to generate a cryptogram from an appropriate asymmetric algorithm.This cryptogram, if it is returned to an authentication terminal of thesmart card, can be used to authenticate the latter.

[0035]FIG. 1 schematically illustrates an exemplary architecture of asmart card DP. The latter includes a memory M, itself constituted in theexample described by a random access memory of the so-called “RAM” type3 and by a nonvolatile memory comprising a permanent part 1 of the “ROM”type and a semi-permanent part 2 of the “EEPROM” or a similar type. Thesmart card CP also includes data processing means, for example amicroprocessor referenced CPU, that cooperate with an operating system4. The operating system is a piece of software constituted by a sequenceof microinstructions that can be completely or partially stored in a theROM area 1 and/or the EEPROM area 1 of the memory M.

[0036] According to one of the characteristics of the invention, thestorage of the key d takes place in at least two physically distinctparts of the memory M. More precisely, in the example illustrated, thestorage of this key d takes place in a nonvolatile part of the memory M:a part in permanent memory 1, of the “ROM” type, and a part insemi-permanent memory 2, of the “EEPROM” or a similar type.

[0037] The secret key d is therefore composed of a part in ROM 1,present before its arrival at the entity called the “chip manufacturer,”and a part written by the latter during a so-called “probe” operationinto EEPROM 2. The bytes programmed into EEPROM 2 are extremelysensitive data, treated as security bytes. This of course requires thatthe secret key d be known at the time of the masking.

[0038] For example, to illustrate the concept, hereinafter we willconsider a 1024-bit (or 128-byte secret key d.

[0039] In a preferred embodiment of the method of the invention, the keyd resides entirely in ROM 1, but certain bytes are false or altered. Forexample, one byte per sixteen-byte block is a dummy, an erroneous valuehaving purposely been written into the ROM code.

[0040] The various blocks of the key d are represented in FIG. 1 withthe references B₁ through B₈. The erroneous bytes are referenced O₁through O₈. The correct values of the bytes, referenced O′₁ through O′₈,are stored in EEPROM 2, also in the form of eight corresponding bytes.These bytes O′₁ through O′₈ form a partial key d′.

[0041] In this example, eight bytes (or 128/16=8) must therefore beprogrammed into EEPROM 2. But it should be understood that the storagein EEPROM 2 could be done in any fashion, since the operating system 4cooperating with the data processing means CPU handles thereconstruction in RAM 3 of the full exact key, which can be called d″,during its utilization. This reconstruction, in the example described,is done simply by substituting the correct bytes O′₁ through O′₈ for theerroneous bytes O₁ through O₈.

[0042] It is clear that the knowledge of one the keys, either d or d′,by any means whatsoever, particularly by means of the aforementionedfraudulent “dumping” operations, would not make it possible to deducethe “full secret,” i.e., the full correct key d″.

[0043] As has been mentioned, in order to obtain good security, the keysare generally long, for example 128 bytes or 1024 bits as indicatedabove. The method according to the invention, in addition to the degreeof security it provides, makes it possible to store in EEPROM 2 only avery small fraction of the full key d, i.e. 8 bytes or 64 bits. Onlythis key fraction should be “probe” written by the chip manufacturer,which is an important advantage, since this operation is long andcostly.

[0044] It should be understood that many other configurations of thedistribution of the key between two types of memory, ROM 1 and EEPROM 2,are possible. The two byte strings need only correspond one-to-one.However, the expert must make sure that this distribution does not allowthe knowledge of one of the two partial keys, d (having the same lengthas the full correct key d″, but partly “altered”) or d′, to make itpossible, by means of mathematical or other methods, to deduce the fullkey from this partial knowledge. The distribution just described inreference to FIG. 1, for the key lengths considered, meets thisrequirement.

[0045] In an additional variant of the method of the invention, in orderto further increase the degree of security obtained, the storage in ROM1 of an additional piece of informational data is provided, making itpossible to guarantee the integrity of the secret key d, and hence tomaintain the integrity of the memories ROM 1 and EEPROM 2 over time.This piece of data can take the form of checksum calculated on thesecret key. This piece of data can also be obtained by means of a hashfunction, or “hash” of this same key. To do this, in the latter case, analgorithm of the type known as “SHA-1” is advantageously used. Thisparticular algorithm must therefore be installed in the smart card. Theresult of this hash function has a length of 160 bits. The initialoperation for obtaining said key is concomitant with the storage of thekey d in the ROM 1.

[0046] The checksum or the hash is executed with each utilization of thesecret key and compared to the piece of informational data stored in thememory ROM 1.

[0047]FIG. 2 schematically illustrates the architecture of a smart cardCP storing such “hash” data in ROM 1. The elements common to FIG. 1 havethe same references and will only be re-described as necessary.

[0048] The piece of data H is stored in ROM 1 and verified with eachutilization of the key in order to maintain the integrity of the storageareas ROM 1 and EEPROM 2. This verification is done under the control ofthe data processing means CPU and programs stored in the memory.

[0049] Up to this point in the description, it has been assumed, atleast implicitly, that the secret data distributed between the twophysically distinct parts of the memory M constitute one and the samesecret.

[0050] In an additional variant of the method of the invention, thesecret data stored in ROM 1 can constitute a first secret. Second secretdata, derived from the first secret data, can constitute a secondsecret. This data, according to one of the characteristics of theinvention, is then stored in a second physically distinct part of thememory M, for example in EEPROM 2. This data can advantageously beobtained by encrypting the first data using any appropriate algorithm,whether symmetric or not. The secret may be considered to be correctly“split” or “divided,” in the sense of the method according to theinvention, when it cannot be deduced from the knowledge of just one partof the memory M.

[0051] Through the reading of the above, it is easy to see that theinvention achieves the stated objects.

[0052] It offers a high degree of security for the storage of sensitivedata, such as keys or the like, by physically distributing them into atleast two physically distinct parts of the memory of a smart card, andmore generally of an embedded microchip system.

[0053] It must be clear, however, that the invention is not limited tojust the exemplary embodiments explicitly described, particularly inrelation to FIGS. 1 and 2.

[0054] In particular, it is possible to distribute the secret data intomore than two physically distinct memory parts. Likewise, when thedistributed data do not represent one and the same secret, the number ofsecrets derived from the first can be greater than one. It is alsopossible to derive cascading secrets and store them separately inphysically distinct memory parts.

[0055] Nor is the invention limited to the authentication application inthe preinitialization phase of a smart card that has been described ingreater detail. It is applicable any time an encryption key or any otherpiece of sensitive data must be stored in the memory of an embeddedsystem.

1. Method for secure storage of a piece of so-called sensitive data in amemory of an embedded microchip system comprising at least twophysically distinct storage means, characterized in that said piece ofsensitive data is divided into at least two parts (d, d′), in a givenlogical configuration, and in that each of said divided parts (d, d′) isstored in one of said physically distinct storage means (1, 2). 2.Method according to claim 1, characterized in that, said piece ofsensitive data being divided into at least two parts (d, d′), itconstitutes a single secret, and in that each of said divided parts isstored in one of said physically distinct storage means (1, 2). 3.Method according to claim 1, characterized in that, said piece ofsensitive data being divided into at least two parts (d, d′), said firstpart (d) constitutes a first secret and each of said additional parts(d′) are derived from said first part (d) so as to constitute additionalsecrets, and in that each of said divided parts is stored in one of saidphysically distinct storage means (1, 2).
 4. Method according to claim1, characterized in that said piece of sensitive data is a binary wordwith a length equal to a given number of bytes and is divided in orderto be stored in two physically distinct storage means (1, 2), in that afirst part is a first binary word (d) constituted by blocks of bytes(B₁-B₈) of the same length as said piece of sensitive data, in that saidfirst part (d) includes a string of correct bytes and altered bytes(O₁-O₈), distributed in said word (d) in a predetermined configuration,and in that said second part is a second binary word (d′) with a lengthequal to the number of said altered bytes (O₁-O₈) and constituted bybytes (O′₁-O′₈) that correspond one-to-one with said altered bytes(O₁-O₈), so that these altered bytes (O₁-O₈) can be corrected, and saidpiece of sensitive data can be reconstructed from said first (d) andsecond (d′) parts.
 5. Method according to claim 4, characterized in thatsaid piece of sensitive data is an encryption key.
 6. Method accordingto claim 1, characterized in that, said piece of sensitive data beingdivided into first (d) and second (d′) parts, respectively stored infirst (1) and second (2) physically distinct storage means, an operationcalled a checksum is performed on said sensitive data, concomitant withthe storage of said second part (d), the result of which is in the formof a piece of informational data, in that said informational data isstored in said first storage means (1), and in that it includes areading of said informational data, an additional checksum operation onsaid sensitive data, and a comparison between said informational dataread and the result of said additional checksum operation with each useof said sensitive data, in order to certify its integrity.
 7. Methodaccording to claim 1, characterized in that, said piece of sensitivedata being divided into first (d) and second (d′) parts, respectivelystored in first (1) and second (2) physically distinct storage means, anoperation called a hash is performed on said sensitive data, concomitantwith the storage of said second part (d), the result of which is in theform of a piece of informational data (H), in that said informationaldata (H) is stored in said first storage means (1), and in that itincludes a reading of said informational data (H), an additional hashoperation on said sensitive data, and a comparison between saidinformational data read and the result of said additional hash operationwith each use of said sensitive data, in order to certify its integrity.8. Method according to claim 7, characterized in that said hashoperation is obtained by applying the hash algorithm known as “SHA-1” tosaid piece of sensitive data.
 9. Embedded microchip system equipped withstorage means for storing at least one piece of so-called sensitivedata, said storage means comprising at least two physically distinctstorage devices, characterized in that, said piece of sensitive databeing divided into at least two parts (d, d′) with given configurations,each of said storage devices (1, 2) stores one of said parts ofsensitive data (d, d′).
 10. System according to claim 9, characterizedin that said storage means (M) comprise a first read-only storage deviceof the so-called “ROM” type (1), and a second electrically erasablere-programmable read-only storage device of the so-called “EEPROM” type(2), and in that each of said first (1), and second (2) storage devicesstore one of said divided parts (d, d′) of said piece of sensitive data.11. System according to claim 9, characterized in that it is constitutedby a smart card (CP).